Privacy Policy

Last updated: 2026-04-25.

Data we collect

• Email address (from sign-up and Firebase authentication)
• Firebase UID (used as account identifier)
• API request logs: endpoint, status code, response time
• IP address — daily-salted SHA-256 hash only, original is never stored
• Stripe customer + subscription IDs (for billing)

Processors we use

• Hetzner Online GmbH (Germany) — hosting
• Stripe Payments Europe Ltd. (Ireland) — payment processing
• Google LLC (Firebase Authentication) — sign-in
• Cloudflare Inc. — CDN, WAF, DDoS protection
• Resend Inc. — transactional email
• Plausible Insights OÜ — analytics (cookie-free, GDPR-friendly)

Retention

• usage_events: 13 months
• User accounts: until deletion request
• Backups: 30 days

Your rights (GDPR)

You have the right to access, rectify, erase, port, restrict, or object to processing of your personal data. We respond within 30 days. Contact: dpo@fitexercisedb.com.

Legal basis

• Art. 6.1.b GDPR (contract performance) for service delivery
• Art. 6.1.f GDPR (legitimate interest) for fraud detection and anti-leak measures

Contact

dpo@fitexercisedb.com

This policy is reviewed by counsel as we approach our public launch press. If you are a customer with concerns, please contact legal@fitexercisedb.com.